Comments (3)
Fixed. Here is instruction how to deploy fix.
Now passport send to oxAuth endpoint signed JWT. After getting it script check JWT signature. Also in this update we remove one redundant step: /oxauth/auth/passport/passportpostlogin.htm -> /oxauth/postlogin Now passport sends data to /oxauth/postlogin directly.
from gluu-passport.
Which version of gluu are you testing with?
from gluu-passport.
I'm using version 3.1.3. I do not see any newer changes that might mitigate the issue.
The problem is, that the communication with gluu-passport is performed via the client browser. I have a test case where I skip any requests to gluu-passport. Instead I am doing the following requests:
- GET https://{{hostname}}/identity
redirects to https://{{hostname}}/oxauth/auth/passport/passportlogin, inits session - POST https://{{hostname}}/oxauth/auth/passport/passportpostlogin
send the "result" of gluu-passport to oxauth, the data is encoded with base64, userid, email, name can be freely changed, accessToken is a random number - POST https://{{hostname}}/oxauth/auth/passport/passportpostlogin
send the loginForm data as passportpostlogin.xhtml does, use the same data as in request 2, "javax.faces.ViewState" can be retrieved from request 2
At no stage is anything about the passport authentication verified. The accessToken is never used. In my opinion the communication between gluu-passport and oxauth should not be handled via the client browser.
from gluu-passport.
Related Issues (20)
- Add support to configure production.js params using envs HOT 1
- Rate-limiting settings being loaded from `node-config` instead of application HOT 2
- remove rate-limit feat - patch HOT 2
- Validator `configDiscovery.validate` is returning data instead of if data is valid or not
- logging "dateTime" test is misplaced and has no action trigger HOT 4
- Invalid Signature error throws browser in redirect loop HOT 2
- update node engines in package.json as per openid-client 5.1.1 requirements
- Upgrade project to use ESM imports HOT 1
- passport-oauth2 moderate severity vulnerability
- Not able to authenticate when using cache provider
- update node version to support latest alpine 3.16 for CN
- feat: allow rate limit settings to be loaded from env
- Passport social login failed. HOT 3
- SAML authn response signature validation bypass due vulnerable component HOT 2
- deprecated packages found in Gluu-server 4.5.0 build HOT 2
- passport-tumblr is unmaintained for 10 years
- `passport-oxd` is deprecated
- fix: extra scope are not sending in passport HOT 2
- PR #547 introduced SAML `inResponseTo` validation related security issue and didn't add notes about other breaking changes to user documentation
- Invalid document signature ERROR
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gluu-passport.